TeamTNT Criminal Group

TeamTNT is the name given to a cybercrime group that specializes in crypto-mining operations. While there was little to differentiate them from the rest of the other hacker groups carrying out these types of attacks initially, it appears that TeamTNT is evolving its operations and have now been reported to be able to collect Amazon Web Services (AWS) credentials from the infected servers.

When TeamTNT first caught the attention of cybersecurity researchers, it was targeting Docker systems that had been configured incorrectly primarily and had management-level API without password protection left open to the Internet. Once inside the network, the hackers would deploy servers that would carry out DDoS and crypto-mining operations.

The TeamTNT Criminal Group is Evolving

Since then, however, the hackers have managed to expand their operations by branching out and adding Kubernetes installations as potential targets. More importantly, according to the cybersecurity researchers at Cado Security, TeamTNT has included a scanner that checks the infected servers and collects AWS credentials. The hacker group looks for the '/.aws/credentials' and '/.aws/config' files, in particular, copies them, and sends both files to the Command-and-Control (C2) server used for the attack campaign. It should be noted that both files are encrypted and store credentials for the AWS infrastructure in plaintext form. 

While it appears that TeamTNT has not yet started to exploit their access to AWS credentials, they could start doing so at any moment as it represents a huge monetary opportunity for them. The hackers could simply sell the collected credentials for direct gains or use them to expand their criminal activities significantly by leveraging the potential access to AWS EC2 clusters and installing crypto-mining malware directly.